Search for packages
| purl | pkg:deb/debian/libxml2@2.7.8.dfsg-2%2Bsqueeze8 |
| Next non-vulnerable version | 2.9.14+dfsg-1.3~deb12u3 |
| Latest non-vulnerable version | 2.9.14+dfsg-1.3~deb12u3 |
| Risk | 6.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1qs6-jwf1-fyds
Aliases: CVE-2016-1840 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-1tg8-f975-q3b9
Aliases: CVE-2022-40304 |
An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked. |
Affected by 16 other vulnerabilities. |
|
VCID-312j-73tn-nffq
Aliases: CVE-2012-0841 |
Affected by 83 other vulnerabilities. |
|
|
VCID-3fah-6hhr-pbdw
Aliases: CVE-2016-4658 GHSA-fr52-4hqw-p27f |
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Nokogiri version 1.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs: CVE-2016-4658 CVSS v3 Base Score: 9.8 (Critical) libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document. CVE-2016-5131 CVSS v3 Base Score: 8.8 (HIGH) Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-3kn4-5bk5-7bht
Aliases: CVE-2020-7595 GHSA-7553-jr98-vx47 |
libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Nokogiri has backported the patch for CVE-2020-7595 into its vendored version of libxml2, and released this as v1.10.8 CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable. |
Affected by 16 other vulnerabilities. |
|
VCID-3mkc-h7u6-6beh
Aliases: CVE-2025-49796 |
A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory. |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-3zy6-h7hv-1yhr
Aliases: CVE-2025-6021 |
A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input. |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-49xa-3kty-6qhc
Aliases: CVE-2013-0338 |
Affected by 83 other vulnerabilities. |
|
|
VCID-4bbb-z5fx-57cd
Aliases: CVE-2016-1837 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-4bje-z48k-63ds
Aliases: CVE-2016-4449 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-64ng-ymyg-23a9
Aliases: CVE-2014-3660 |
Affected by 83 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-6h1b-etzt-juap
Aliases: CVE-2025-49794 |
A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors. |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-6mzw-ypdf-fbcc
Aliases: CVE-2017-0663 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
|
VCID-6s1u-2xvj-vkbz
Aliases: CVE-2025-32415 |
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. |
Affected by 4 other vulnerabilities. |
|
VCID-7745-ahpk-7ub6
Aliases: CVE-2019-19956 |
xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. |
Affected by 16 other vulnerabilities. |
|
VCID-78kj-x2mn-8qdh
Aliases: CVE-2017-9049 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
|
VCID-799v-6ksd-7ua4
Aliases: CVE-2017-5969 |
Affected by 36 other vulnerabilities. |
|
|
VCID-7qhn-mh6u-mfat
Aliases: CVE-2016-4447 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-7r7t-vtzn-gkgn
Aliases: CVE-2015-7942 |
Affected by 83 other vulnerabilities. Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-7sed-p55s-d3du
Aliases: CVE-2015-8317 |
Affected by 83 other vulnerabilities. Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-8may-masx-xbcx
Aliases: CVE-2016-1833 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-98wz-9bkm-qycr
Aliases: DSA-3057-2 libxml2 |
regression update |
Affected by 83 other vulnerabilities. |
|
VCID-9r6n-66y4-3be2
Aliases: CVE-2025-6170 |
A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections. |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-9ym4-6av7-aqe3
Aliases: CVE-2022-2309 GHSA-wrxv-2j5q-m38w PYSEC-2022-230 |
NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered. |
Affected by 4 other vulnerabilities. |
|
VCID-ax3s-mr28-8kdr
Aliases: CVE-2015-8241 |
Affected by 83 other vulnerabilities. Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-b7e6-kts2-7yhq
Aliases: CVE-2021-3518 GHSA-v4f8-2847-rwm7 |
Nokogiri Implements libxml2 version vulnerable to use-after-free There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability. |
Affected by 16 other vulnerabilities. |
|
VCID-bbv4-xhu4-5fhd
Aliases: CVE-2023-45322 |
Use After Free This advisory has been marked as False Positive and removed. |
Affected by 4 other vulnerabilities. |
|
VCID-bpwu-gpw3-qkcp
Aliases: CVE-2018-14404 GHSA-6qvp-r6r3-9p7h |
Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Nokogiri 1.8.5 has been released. This is a security and bugfix release. It addresses two CVEs in upstream libxml2 rated as "medium" by Red Hat, for which details are below. If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may want to check with your distro whether they've patched this (Canonical has patched Ubuntu packages). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2. Full details about the security update are available in Github Issue #1785. [#1785]: https://github.com/sparklemotion/nokogiri/issues/1785 ----- [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in #1785. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2. ----- CVE-2018-14404 Permalink: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html Description: A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application Canonical rates this vulnerability as "Priority: Medium" ----- CVE-2018-14567 Permalink: https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html Description: infinite loop in LZMA decompression Canonical rates this vulnerability as "Priority: Medium" |
Affected by 16 other vulnerabilities. |
|
VCID-bv8e-awwa-xkh4
Aliases: CVE-2011-3905 |
Affected by 83 other vulnerabilities. |
|
|
VCID-bzfw-1axb-wqcc
Aliases: CVE-2022-49043 |
xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free. |
Affected by 4 other vulnerabilities. |
|
VCID-cc7z-8nrg-4faw
Aliases: CVE-2017-9048 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
|
VCID-d5gp-ggk5-mkh5
Aliases: CVE-2023-39615 |
Improper Restriction of Operations within the Bounds of a Memory Buffer Xmlsoft Libxml2 v2.11.0 was discovered to contain a global buffer overflow via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. |
Affected by 4 other vulnerabilities. |
|
VCID-dmn7-56da-xqdm
Aliases: CVE-2011-1944 |
Affected by 83 other vulnerabilities. |
|
|
VCID-e7ny-dgdx-wqhb
Aliases: CVE-2025-32414 |
In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters. |
Affected by 4 other vulnerabilities. |
|
VCID-eq6f-psx4-zkfm
Aliases: CVE-2016-3705 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-evvr-nm7m-h3ec
Aliases: CVE-2017-7375 |
A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable). |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-fcjk-tjr1-f3d6
Aliases: CVE-2013-0339 |
Affected by 83 other vulnerabilities. |
|
|
VCID-fff8-g5p5-uba1
Aliases: CVE-2024-56171 |
libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. |
Affected by 4 other vulnerabilities. |
|
VCID-fjgx-n939-t7fz
Aliases: CVE-2015-8242 |
Affected by 48 other vulnerabilities. |
|
|
VCID-ftr9-5h71-z3et
Aliases: CVE-2021-3537 GHSA-286v-pcf5-25rc |
Nokogiri Implements libxml2 version vulnerable to null pointer dereferencing A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability. |
Affected by 16 other vulnerabilities. |
|
VCID-g4x2-pz9m-fqcd
Aliases: CVE-2016-5131 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-ge3f-yxqu-5fe1
Aliases: CVE-2021-3516 |
There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability. |
Affected by 16 other vulnerabilities. |
|
VCID-gry4-xmv4-vyfq
Aliases: CVE-2015-7497 |
Affected by 83 other vulnerabilities. Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-gtkh-p395-3qgm
Aliases: CVE-2012-5134 |
Affected by 83 other vulnerabilities. |
|
|
VCID-gzm2-d51q-m7h9
Aliases: DSA-2978-1 libxml2 |
security update |
Affected by 83 other vulnerabilities. |
|
VCID-gzy9-sf3x-nfdy
Aliases: CVE-2011-0216 |
Affected by 83 other vulnerabilities. |
|
|
VCID-h12s-4b71-ekev
Aliases: CVE-2015-5312 GHSA-xjqg-9jvg-fgx2 |
Nokogiri gem contains several vulnerabilities in libxml2 Nokogiri version 1.6.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs: CVE-2015-5312 CVSS v2 Base Score: 7.1 (HIGH) The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660. CVE-2015-7497 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors. CVE-2015-7498 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure. CVE-2015-7499 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. CVE-2015-7500 CVSS v2 Base Score: 5.0 (MEDIUM) The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags. CVE-2015-8241 CVSS v2 Base Score: 6.4 (MEDIUM) The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. CVE-2015-8242 CVSS v2 Base Score: 5.8 (MEDIUM) The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data. CVE-2015-8317 CVSS v2 Base Score: 5.0 (MEDIUM) The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read. |
Affected by 83 other vulnerabilities. Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-h8dr-ab5d-e7f4
Aliases: CVE-2025-27113 |
libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c. |
Affected by 4 other vulnerabilities. |
|
VCID-h9hr-7gnc-r7db
Aliases: CVE-2016-1836 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-jrfb-3mer-p3ar
Aliases: CVE-2017-5130 |
Out-of-bounds Write An integer overflow in xmlmemory.c in libxml2, as used in Google Chrome and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted XML file. |
Affected by 36 other vulnerabilities. |
|
VCID-kkxg-yzg1-n7cd
Aliases: CVE-2015-7500 |
Affected by 83 other vulnerabilities. Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-kt4k-xgcs-zkge
Aliases: CVE-2018-14567 |
libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035 and CVE-2018-9251. |
Affected by 16 other vulnerabilities. |
|
VCID-m5xb-cvm4-kbcq
Aliases: CVE-2016-1835 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-me2m-h7w3-3fad
Aliases: CVE-2011-3102 |
Affected by 83 other vulnerabilities. |
|
|
VCID-muvh-8zw6-tbbn
Aliases: CVE-2015-1819 GHSA-q7wx-62r7-j2x7 |
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Several vulnerabilities were discovered in the libxml2 and libxslt libraries that the Nokogiri gem depends on. CVE-2015-1819 A denial of service flaw was found in the way libxml2 parsed XML documents. This flaw could cause an application that uses libxml2 to use an excessive amount of memory. CVE-2015-7941 libxml2 does not properly stop parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and libxml2 crash) via crafted specially XML data. CVE-2015-7942 The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data. CVE-2015-7995 The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check whether the parent node is an element, which allows attackers to cause a denial of service using a specially crafted XML document. CVE-2015-8035 The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data. Another vulnerability was discoverd in libxml2 that could cause parsing of unclosed comments to result in "conditional jump or move depends on uninitialized value(s)" and unsafe memory access. This issue does not have a CVE assigned yet. See related URLs for details. Patched in v1.6.7.rc4. |
Affected by 83 other vulnerabilities. Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-mx2v-pgx9-w3cp
Aliases: CVE-2022-40303 |
An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault. |
Affected by 16 other vulnerabilities. |
|
VCID-n13q-cuhb-27g2
Aliases: CVE-2015-8806 GHSA-7hp2-xwpj-95jq |
Denial of service or RCE from libxml2 and libxslt Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, which are libraries Nokogiri depends on. It was discovered that libxml2 and libxslt incorrectly handled certain malformed documents, which can allow malicious users to cause issues ranging from denial of service to remote code execution attacks. For more information, the Ubuntu Security Notice is a good start: http://www.ubuntu.com/usn/usn-2994-1/ |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-ns3t-ngra-3bc9
Aliases: CVE-2017-7376 |
Buffer overflow in libxml2 allows remote attackers to execute arbitrary code by leveraging an incorrect limit for port values when handling redirects. |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-nynq-shmv-uqd5
Aliases: CVE-2015-8710 |
Affected by 83 other vulnerabilities. Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-p2vf-ezg6-xkfy
Aliases: CVE-2022-29824 |
In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well. |
Affected by 36 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-pjfp-br6v-p7dm
Aliases: CVE-2016-1762 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-pnw6-fh5n-2bdd
Aliases: CVE-2015-8035 |
Affected by 83 other vulnerabilities. Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-pvcp-v6b3-n3d6
Aliases: CVE-2013-2877 |
Affected by 83 other vulnerabilities. Affected by 81 other vulnerabilities. |
|
|
VCID-q7bf-8cx9-ckff
Aliases: CVE-2016-1839 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-qcfr-u9jt-1fex
Aliases: CVE-2017-16932 GHSA-x2fm-93ww-ggvx |
Nokogiri gem, via libxml, is affected by DoS vulnerabilities The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.5. Wei Lei discovered that libxml2 incorrecty handled certain parameter entities. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service. |
Affected by 16 other vulnerabilities. |
|
VCID-qzdv-5fc6-vbea
Aliases: CVE-2015-7499 GHSA-jxjr-5h69-qw3w |
Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Nokogiri version 1.6.7.2 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVE: CVE-2015-7499 CVSS v2 Base Score: 5.0 (MEDIUM) Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors. libxml2 could be made to crash if it opened a specially crafted file. It was discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service. |
Affected by 83 other vulnerabilities. Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-ruge-mtxp-uugw
Aliases: CVE-2015-7498 |
Affected by 83 other vulnerabilities. Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-ryqv-b6d6-r7ed
Aliases: CVE-2016-3627 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-s24p-gfz1-d7cs
Aliases: CVE-2025-24928 |
libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047. |
Affected by 4 other vulnerabilities. |
|
VCID-s3nx-vfgs-suf5
Aliases: CVE-2016-4448 |
Affected by 48 other vulnerabilities. |
|
|
VCID-t2s3-2ehw-zkfu
Aliases: CVE-2021-3517 GHSA-jw9f-hh49-cvp9 |
Nokogiri contains libxml Out-of-bounds Write vulnerability There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application. Nokogiri prior to version 1.11.4 used a vulnerable version of libxml2. Nokogiri 1.11.4 updated libxml2 to version 2.9.11 to address this and other vulnerabilities in libxml2. |
Affected by 16 other vulnerabilities. |
|
VCID-t8uz-fut9-h7b2
Aliases: CVE-2011-2834 |
Affected by 83 other vulnerabilities. |
|
|
VCID-ucxk-b2cs-e3h1
Aliases: CVE-2016-2073 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-uhs1-t4hc-jqdk
Aliases: CVE-2016-3709 |
Possible cross-site scripting vulnerability in libxml after commit 960f0e2. |
Affected by 4 other vulnerabilities. |
|
VCID-upj8-wt85-tufp
Aliases: CVE-2017-15412 GHSA-r58r-74gx-6wx3 |
Nokogiri gem, via libxml, is affected by DoS vulnerabilities The version of libxml2 packaged with Nokogiri contains a vulnerability. Nokogiri has mitigated these issue by upgrading to libxml 2.9.6. It was discovered that libxml2 incorrecty handled certain files. An attacker could use this issue with specially constructed XML data to cause libxml2 to consume resources, leading to a denial of service. |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-uycx-qnb8-j3ax
Aliases: CVE-2023-28484 |
In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c. |
Affected by 16 other vulnerabilities. |
|
VCID-v174-ppdq-fkaj
Aliases: CVE-2016-1834 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-v61h-beq1-e3d5
Aliases: CVE-2017-8872 |
Affected by 36 other vulnerabilities. |
|
|
VCID-v6q3-n895-bkhv
Aliases: CVE-2015-7941 |
Affected by 83 other vulnerabilities. Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-vduf-gcuh-hfcx
Aliases: CVE-2017-16931 |
Affected by 36 other vulnerabilities. |
|
|
VCID-w2vx-75ad-cqc4
Aliases: CVE-2020-24977 |
GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has been fixed in commit 50f06b3e. |
Affected by 16 other vulnerabilities. |
|
VCID-w4x9-6waf-vbgh
Aliases: CVE-2014-0191 |
Affected by 83 other vulnerabilities. Affected by 81 other vulnerabilities. |
|
|
VCID-wbmd-sf6j-zkbw
Aliases: CVE-2011-2821 |
Affected by 83 other vulnerabilities. |
|
|
VCID-wmn5-vbnk-8qbe
Aliases: CVE-2017-9050 GHSA-8c56-cpmw-89x7 |
Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities The version of libxml2 packaged with Nokogiri contains several vulnerabilities. Nokogiri has mitigated these issues by upgrading to libxml 2.9.5. It was discovered that a type confusion error existed in libxml2. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-0663) It was discovered that libxml2 did not properly validate parsed entity references. An attacker could use this to specially construct XML data that could expose sensitive information. (CVE-2017-7375) It was discovered that a buffer overflow existed in libxml2 when handling HTTP redirects. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-7376) Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in libxml2 when handling elements. An attacker could use this to specially construct XML data that could cause a denial of service or possibly execute arbitrary code. (CVE-2017-9047) Marcel Böhme and Van-Thuan Pham discovered a buffer overread in libxml2 when handling elements. An attacker could use this to specially construct XML data that could cause a denial of service. (CVE-2017-9048) Marcel Böhme and Van-Thuan Pham discovered multiple buffer overreads in libxml2 when handling parameter-entity references. An attacker could use these to specially construct XML data that could cause a denial of service. (CVE-2017-9049, CVE-2017-9050) |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-x4wq-q8ae-kff2
Aliases: CVE-2024-25062 |
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. |
Affected by 4 other vulnerabilities. |
|
VCID-xg4b-67a2-xfe9
Aliases: CVE-2016-9318 |
Affected by 16 other vulnerabilities. |
|
|
VCID-xpfw-8p6z-jucb
Aliases: CVE-2019-20388 |
xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak. |
Affected by 16 other vulnerabilities. |
|
VCID-xppu-ubhq-zqd9
Aliases: CVE-2016-1838 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
|
VCID-xqxx-64je-4beu
Aliases: CVE-2012-2807 |
Affected by 83 other vulnerabilities. |
|
|
VCID-xwyr-vkz9-fubu
Aliases: CVE-2011-3919 |
Affected by 83 other vulnerabilities. |
|
|
VCID-y36w-m9px-c7c7
Aliases: CVE-2017-18258 GHSA-882p-jqgm-f45g |
Moderate severity vulnerability that affects nokogiri The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. References: - https://nvd.nist.gov/vuln/detail/CVE-2017-18258 - https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb - https://github.com/advisories/GHSA-882p-jqgm-f45g - https://kc.mcafee.com/corporate/index?page=content&id=SB10284 - https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html - https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html - https://security.netapp.com/advisory/ntap-20190719-0001/ - https://usn.ubuntu.com/3739-1/ |
Affected by 16 other vulnerabilities. |
|
VCID-ypxg-52f8-gqe9
Aliases: CVE-2022-23308 |
valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes. |
Affected by 16 other vulnerabilities. |
|
VCID-z6qn-rugu-97eb
Aliases: CVE-2021-3541 |
A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service. |
Affected by 16 other vulnerabilities. |
|
VCID-zdd1-bz8t-rffx
Aliases: CVE-2023-29469 |
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value). |
Affected by 16 other vulnerabilities. |
|
VCID-zvxh-nxmh-wbac
Aliases: CVE-2017-9047 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
|
VCID-zxp8-ej4m-cban
Aliases: CVE-2024-34459 |
An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c. |
Affected by 4 other vulnerabilities. |
|
VCID-zy48-puju-qbdd
Aliases: CVE-2016-4483 |
Affected by 81 other vulnerabilities. Affected by 48 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-9k4f-nr7g-57cn |
CVE-2009-2414
|
|
| VCID-9s88-74fb-wqfd |
CVE-2010-4008
|
|
| VCID-fsap-5rcs-guh9 | Double Free Double free vulnerability in libxml2 and other versions, as used in Google Chrome and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling. |
CVE-2010-4494
|
| VCID-ubmq-u6pa-wqhz |
CVE-2009-2416
|